TRENDING

Internet blackout looms for 300K DNSChanger-infected computers

By William Jackson

Jun 20, 2012

Less than three weeks before the deadline for taking clean DNSChanger servers offline for good hundreds of thousands of computers still are using the servers for DNS queries and face the risk of being cut off from the Internet July 9.

The situation is the result of a click-jack scheme to redirect Web traffic that was shut down by the FBI in November. To allow time for the clean-up of infected computers, the FBI obtained court orders allowing the temporary operation of clean DNS servers using the gang’s IP addresses by Internet Systems Consortium. The second of those orders expires July 9, and when the servers are shut down DNS queries sent to them will go nowhere.

According to the DNSChanger Working Group, more than 300,000 unique IP addresses still were communicating with the stopgap servers as of June 11, and the number of affected users could be much higher.

“I believe the number is four times that much,” said Vikam Thakur, principal security response manager at Symantec.

Many households have multiple computers behind a home router using a single IP address, he said. Even if the computers are not now infected with the malware, they still could be using the wrong DNS servers if settings on the router have not been corrected. Some Internet service providers also are internally redirecting DNS queries away from the temporary addresses.

“That traffic does not hit the ISC servers,” and is not being counted, Thakur said. But the computers still could be infected with DNSChanger malware and should be cleaned up, because the ISP redirection is only another temporary fix.

Although traffic to the temporary ISC servers has been cut by more than half since the FBI shut down the Estonian fraud ring in November, that improvement represents the low-hanging fruit. It is unlikely that very many of the remaining infections will be cleaned up by the July 9 deadline, Thakur said. The deadline for shutting down the temporary servers already has been extended once by four months. (Just before the first deadline arrived in March, Rod Rasmussen, a member of the working group, said federal agencies had mostly cleaned their systems of the malware.)

“If people did not act three months ago, the chances of them acting in the next three weeks are very small,” he said. “The clean-up rate in the next month will be very low.”

DNSChanger malware infected as many as 4 million users around the world and was used to direct DNS queries to malicious servers operated by the criminal gang. The servers would direct traffic to malicious sites offering counterfeit services or products. “Not only did the cyber thieves make money from these schemes, they deprived legitimate website operators and advertisers of substantial revenue,” the FBI wrote in explaining the scheme.

Arresting the criminals stopped the crime but did nothing to restore the correct DNS settings on infected computers. The clean ISC servers were established as a temporary measure to buy time, and now that time is running out.

According to the working group, traffic to the ISC servers peaked at 816,718 unique IP addresses contacting them Nov. 16, just days after the FBI arrests, and dropped sharply to 400,000 or 500,000 a day soon afterward. By March 8, the original shut-off date for the servers, the number had dropped to 379,217 addresses. In the nearly four months since then the number has dropped only to 303,867.

The working group, an ad hoc group of subject matter experts from a number of industry and academic organizations, offers instructions for detecting and fixing the problem, but many users are unaware of the issue or lack the confidence to tackle it.

Some large ISPs have been proactively contacting users believed to be infected by the malware to help them get cleaned up, but “they still are in the minority,” Thakur said. ISC data on affected IP addresses also is available to other organizations such as universities with large numbers of users, so that they can help infected users. But many organizations do not have the resources to conduct such outreach.

ISPs are bracing for a surge of customer service calls in July when Internet access disappears for infected customers, Thakur said. “They are expecting it and they are prepared for it."

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.